Join over 2 million IT and cyber professionals advancing their careers

Video Transcription

00:05

developing software using sound practices is crucial in today's cyber landscape, where exploiting weaknesses in the application can have a detrimental impact on an organization through loss of service, availability or breach of sensitive information.

00:19

Vulnerabilities and software can occur during development if secure coding best practices aren't followed

00:26

to support the developer community there. Several groups that maintain resource is and guidance for best practices insecure Cody.

00:33

A few of the common trusted groups include open Web Applications, Security Project or a WASP

00:40

Sands, and the Center for Internet Security, or C. I s

00:44

a WASP is an open community that strives to provide valuable resource is for developing, acquiring, operating and maintaining trusted applications.

The Costs Software Assurance Maturity Model, also known as S A M N, is a flexible, open source framework designed to target risks associated with softer security of an organization.

01:11

The framework provides resource is for evaluating existing software building and improving through the use of well defined. It orations a security assurance program in defining and evaluating security related events.

01:23

A WASP publishes the development guide, which contains tips for secure, softer development and information on current security threats. There are guides for testing code review, application verification standards and recommendations for penetration tests, among others.

01:38

Oh, WASP is probably most well known for the Wasps Top 10.

01:42

A WASP receives feedback from the community to compile the top 10 application vulnerabilities, along with the risk impact and mitigation for each.

01:52

While this report is an important guide for developers, it cannot be a single source for developers.

01:57

Other considerations are important, such as human air and in organizations, prioritized threats that may not be on the top 10 list.

02:07

The Sands organization specializes in cyber and information security and as an industry leader in training and certification programs.

02:14

They also partner with industry on research initiatives and offer, Resource Is and guidelines for secure software development.

02:22

The Global Information Assurance Certification, or JACK, was founded by Sands and is their certification arm that evaluates an individual's applicable knowledge in an information security field.

02:32

The developer, track of the certifications, addresses secure coding principles and secure development processes.

02:39

The Center for Internet Security, or C S, is a nonprofit organization specializing in providing trusted security controls and benchmarks and best practices for cyber defense activities.

02:50

Additional service is include security assessments. Consulting service is and securely configured, hardened images provided by cloud computing vendors.

also referred to as the Sands Top 20. The controls map to industry frameworks and regulations and are designed to help organizations protect their information assets from attacks.

03:16

The controls six basic, 10 foundational and four organizational are carefully constructed using a combination of information learned from known attacks. They're effective defenses and expert knowledge from industry.

03:30

Each control was carefully designed to reduce the attack surface by following proper configuration and hardening techniques.

03:37

The Basic Control group includes the top critical security controls that are recommended for every organization, such as inventorying assets, securely configuring devices, vulnerability assessment and remediation activities and access control management.

03:52

The foundational control group is not considered as critical as the basic controls and focuses on technical areas such as male wear protection, port security, data protection in recovery and configuring network devices and boundaries.

04:05

The organizational control group contains some technical elements but focuses more on the people in processes within the organization,